registry  /  melduo  /  0.1.3

melduo@0.1.3

Deploy your repo to AWS with AI agents — from your terminal.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked deployment CLI with broad but purpose-aligned GitHub, AWS, local git, and Melduo API capabilities.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs melduo login, init, deploy, logout, whoami, or interactive CLI commands.
Impact
Can modify the user's repo deploy branch/worktree, GitHub Actions secrets, and AWS CloudFormation/IAM resources after explicit CLI commands and prompts.
Mechanism
deployment automation using GitHub/AWS APIs, local git commands, and Melduo API/LLM proxy
Rationale
Static inspection shows powerful deployment functionality, but it is exposed through the declared melduo CLI commands with no install-time execution or unconsented credential exfiltration. Scanner credential-exfiltration hints are explained by package-aligned GitHub/AWS/Melduo API use and local credential storage.
Evidence
package.jsondist/cli.js.melduo/project.json.melduo/settings.local.json.melduo/cache/analysis.json.melduo/worktree.gitignore
Network endpoints3
api.melduo.comapi.github.comus.i.posthog.com

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/cli.js can read GITHUB_TOKEN or gh auth token for user-invoked GitHub API calls.
  • dist/cli.js sends deployment analysis/session data to https://api.melduo.com and telemetry email to PostHog unless disabled.
  • dist/cli.js can create GitHub secrets, worktrees/branches, workflows, and AWS IAM/CloudFormation resources during melduo init/deploy.
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks; only bin melduo -> dist/cli.js.
  • Network and token use is aligned with declared CLI purpose: deploying a GitHub repo to the user's AWS account.
  • Credential writes are local Melduo config credentials.json with mode 0600; AWS credentials are used through profiles/fromIni, not harvested for exfiltration.
  • Repo/file reads are bounded through user-invoked analyzer/deployer tools and fs jail checks.
  • No eval/vm/Function, native binary loading, stealth persistence, destructive install-time behavior, or AI-agent control-surface mutation found.
Behavioral surface
Source
CryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 207 KB of source, external domains: api.github.com, api.melduo.com, us.i.posthog.com

Source & flagged code

2 flagged · loading source
dist/cli.jsView file
16try { L17: const body = await response.json(); L18: if (body.error) code = body.error; ... L68: try { L69: response = await fetch(this.url(path16), { L70: method, L71: headers: this.headers(), L72: body: body === void 0 ? void 0 : JSON.stringify(body), L73: signal: signal ?? null ... L182: function resolveApiBaseUrl() { L183: return process.env.MELDUO_API_URL ?? loadGlobalConfig().apiBaseUrl ?? DEFAULT_API_BASE_URL; L184: }
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/cli.jsView on unpkg · L16
16Trigger-reachable chain: manifest.bin -> dist/cli.js L16: try { L17: const body = await response.json(); L18: if (body.error) code = body.error; ... L68: try { L69: response = await fetch(this.url(path16), { L70: method, L71: headers: this.headers(), L72: body: body === void 0 ? void 0 : JSON.stringify(body), L73: signal: signal ?? null ... L182: function resolveApiBaseUrl() { L183: return process.env.MELDUO_API_URL ?? loadGlobalConfig().apiBaseUrl ?? DEFAULT_API_BASE_URL; L184: }
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli.jsView on unpkg · L16

Findings

2 Critical3 Medium5 Low
CriticalCredential Exfiltrationdist/cli.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings